On Tue, 14 Apr 1998, Marcus J. Ranum wrote: > That's what I'm talking about. IDS' useful role is as a backstop > against intrusions that have succeeded, not as frontal armor against > known attacks which (most likely) won't succeed. Note that most of > the current IDS products on the market are the "frontal armor" type. Well maybe if you did decide to say, for example, email the ISP upstream of where the attacks are comming from you might stop them _before_ they break in. > I guess I'm doing a lousy job of explaining myself (chalk it up to > fatigue) -- the place where IDS are valuable is as automated tools > to do what Ches used to call "Tar Babies" -- traps and alarms that > are scattered within the network, to call attention to the presence > of unusual activity. This DOES NOT mean that they'll catch the attack > based on the attack technique used!! I understand what you mean and I agree. I guess my point is that unless you look at the traffic and follow up on it, even things that would normally not sucess in breaking in, then you will be in the dark. What the IDS allows you is to let you know when something interesting is happening. Then you can break out the network sniffer and take a look _for_your_self_ whats going on. You may find some interesting things. But again you are correct that this may take to much time for most people, thats why large companies (should) have a full time security staff. > mjr. > -- > Marcus J. Ranum, CEO, Network Flight Recorder, Inc. > work - http://www.nfr.net > home - http://www.clark.net/pub/mjr > Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:22 PDT